opensc: fix CVE-2024-45620

CVE-2024-45620: A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45620] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168] [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd] [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-01-15 15:24:28 +08:00
parent d51c6495e0
commit c028b36527
4 changed files with 129 additions and 0 deletions
@@ -0,0 +1,42 @@
+From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:23:20 +0200
+Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/20
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-starcos.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c
+index bde7413a46..267ad2b04a 100644
+--- a/src/pkcs15init/pkcs15-starcos.c
+++ b/src/pkcs15init/pkcs15-starcos.c
+@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 		return r;
+ 	len = tfile->size;
+ 	sc_file_free(tfile);
+	if (len == 0)
+		return SC_ERROR_INTERNAL;
+ 	buf = malloc(len);
+ 	if (!buf)
+ 		return SC_ERROR_OUT_OF_MEMORY;
+@@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 	if (num_keys == 0xff)
+ 		num_keys = 0;
+ 	/* encode public key */
+-	keylen  = starcos_encode_pukey(rsa, NULL, kinfo);
+	keylen = starcos_encode_pukey(rsa, NULL, kinfo);
+ 	if (!keylen) {
+ 		free(buf);
+ 		return SC_ERROR_INTERNAL;
+--
+2.34.1
@@ -0,0 +1,34 @@
+From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:35:23 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/21
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 417b6dd57d..98402a4e3f 100644
+--- a/src/libopensc/iasecc-sdo.c
+++ b/src/libopensc/iasecc-sdo.c
+@@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str
+
+ 	LOG_FUNC_CALLED(ctx);
+
+	if (data == NULL || data_len < 2)
+		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+--
+2.34.1
@@ -0,0 +1,50 @@
+From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:03:46 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data when parsing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/27,29
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 4d6be7ad4..bdbd5ab17 100644
+--- a/src/libopensc/iasecc-sdo.c
+++ b/src/libopensc/iasecc-sdo.c
+@@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
+	if (data_len < 1)
+		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+ 
+		if (data_len - 1 < size)
+			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+ 		data += size_size + 1;
+ 		data_len = size;
+ 		sc_log(ctx,
+ 		       "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",
+ 		       size, size_size);
+ 
+		if (data_len < 3)
+			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+ 		if (*data != IASECC_SDO_TAG_HEADER)
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 
+--
+2.34.1
@@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2024-45619-0004.patch \
           file://CVE-2024-45619-0005.patch \
           file://CVE-2024-45619-0006.patch \
+           file://CVE-2024-45620-0001.patch \
+           file://CVE-2024-45620-0002.patch \
+           file://CVE-2024-45620-0003.patch \
          "

 # CVE-2021-34193 is a duplicate CVE covering the 5 individual